Back to success stories

Sample of Defect

Project Name CID Checker Category Developer Description
elbing/harvey 91265 UNINIT Memory - illegal accesses in this case, we're using a pointer to memory which is not guaranteed to be zero, and potentially corrupting the malloc arena in the process. Fixed by setting name to nil. Our now cleaner malloc arena thanks you.
File: /sys/src/9/386/uartpci.c 
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

 * distribution and at http://akaros.cs.berkeley.edu/files/Plan9License. No
 * part of the UCB release of Plan 9, including this file, may be copied,
 * modified, propagated, or distributed except according to the terms contained
 * in the LICENSE file.
 */

#include "u.h"
#include "../port/lib.h"
#include "mem.h"
#include "dat.h"
#include "fns.h"

#include "io.h"

extern PhysUart i8250physuart;
extern PhysUart pciphysuart;
extern void* i8250alloc(int, int, int);

static Uart*
uartpci(int ctlrno, Pcidev* p, int barno, int n, int freq, char* name)
{
        int i, io;
        void *ctlr;
        char buf[64];
 
 << 1. Declaring variable "uart" without initializer.
28
29
30
31

        Uart *head, *uart;

        io = p->mem[barno].bar & ~0x01;
        snprint(buf, sizeof(buf), "%s%d", pciphysuart.name, ctlrno);
 
 < 2. Condition "ioalloc(io, p->mem[barno].size, 0, buf) < 0", taking false branch
32
33
34
35

        if(ioalloc(io, p->mem[barno].size, 0, buf) < 0){
                print("uartpci: I/O 0x%uX in use\n", io);
                return nil;
        }

 << 3. Calling allocator "malloc". [Note: The source code implementation of the function has been overridden by a builtin model.]
 << 4. Assigning: "uart" = "malloc(4432UL * n)", which is allocated but not initialized.
37

        head = uart = malloc(sizeof(Uart)*n);

 < 5. Condition "i < n", taking true branch
39
40
41

        for(i = 0; i < n; i++){
                ctlr = i8250alloc(io, p->intl, p->tbdf);
                io += 8;
 
 < 6. Condition "ctlr == NULL", taking false branch
42
43
44
45
46

                if(ctlr == nil)
                        continue;

                uart->regs = ctlr;
                snprint(buf, sizeof(buf), "%s.%8.8uX", name, p->tbdf);
 
 <<< CID 91265: Memory - illegal accesses UNINIT
 <<< 7. Using uninitialized value "uart->name" when calling "kstrdup".
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

                kstrdup(&uart->name, buf);
                uart->freq = freq;
                uart->phys = &i8250physuart;
                if(uart != head)
                        (uart-1)->next = uart;
                uart++;
        }

        return head;
}

static Uart*
uartpcipnp(void)
{
        Pcidev *p;
        char *name;
        int ctlrno, n, subid;
        Uart *head, *tail, *uart;

        /*
         * Loop through all PCI devices looking for simple serial
         * controllers (ccrb == 0x07) and configure the ones which
         * are familiar. All suitable devices are configured to
         * simply point to the generic i8250 driver.
         */
        head = tail = nil;
        ctlrno = 0;
Events:
1. var_decl uartpci.c:28
3. alloc_fn uartpci.c:37
4. assign uartpci.c:37
7. uninit_use_in_call uartpci.c:47

About Synopsys

Communities and resources